McAfee Endpoint Upgrade Assistant 2.2.0 Product Guide

COPYRIGHT

Copyright © 2018 McAfee, LLC

TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

Contents

1 Product overview 5 Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 How it works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Preparing to upgrade 9

Preparation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Products that you can upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 McAfee product requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Setting up your test environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 High-level workflow for upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 How to use Endpoint Upgrade Assistant . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Planning your deployment options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3 Upgrading with McAfee ePO 19 Deployment options using McAfee ePO tasks . . . . . . . . . . . . . . . . . . . . . . . . 19 What happens during upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Workflow for deploying upgrades with McAfee ePO . . . . . . . . . . . . . . . . . . . . . . 20 Create a deployment task in Endpoint Upgrade Assistant . . . . . . . . . . . . . . . . . . . . 20 Create a deployment task in McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Supported command-line options for upgrades . . . . . . . . . . . . . . . . . . . . 21

4 Upgrading with other solutions 25 Using Package Creator to create custom product installers . . . . . . . . . . . . . . . . . . . 25 Requirements for Package Creator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Workflow for upgrading with third-party tools . . . . . . . . . . . . . . . . . . . . . . . . 26 Download the McAfee Agent frame package file . . . . . . . . . . . . . . . . . . . . . . . 27 Create product installers with Package Creator . . . . . . . . . . . . . . . . . . . . . . . 27

5 Best practices and troubleshooting 29

Best practices for managing upgrade information . . . . . . . . . . . . . . . . . . . . . . 29 Export system and product information . . . . . . . . . . . . . . . . . . . . . . . 30

Troubleshooting blocked endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Refresh the McAfee ePO database . . . . . . . . . . . . . . . . . . . . . . . . . 30

Troubleshooting installation and uninstallation issues . . . . . . . . . . . . . . . . . . . . . 31 Remove files after a failed installation . . . . . . . . . . . . . . . . . . . . . . . . 31

Troubleshooting issues with Endpoint Upgrade Assistant . . . . . . . . . . . . . . . . . . . . 32 Troubleshoot issues with Upgrade Automation . . . . . . . . . . . . . . . . . . . . . . . 32 Troubleshooting issues related to Package Creator . . . . . . . . . . . . . . . . . . . . . . 35

Increase package size limit in McAfee ePO . . . . . . . . . . . . . . . . . . . . . . 35 Reporting an issue to McAfee Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Contents

1 Product overview

®

McAfee Endpoint Upgrade Assistant is a tool that assists with upgrading endpoints in your managed ®

environment from older software or legacy products to McAfee Endpoint Security.

Administrators can use Endpoint Upgrade Assistant to:

• Analyze endpoints, detect the supported McAfee products that are installed, and determine the minimum

requirements for upgrading to Endpoint Security.

• Plan, deploy, and track product upgrades throughout the environment.

Endpoint Upgrade Assistant is bundled with Upgrade Automation client software, which runs on endpoints to manage the upgrade process.

Components

®

Endpoint Upgrade Assistant includes these McAfee

®

ePolicy Orchestrator

®

(McAfee

™

ePO ) components:

• Endpoint Upgrade Assistant extension — Install on the McAfee ePO server. Provides the features for analyzing, preparing, and tracking McAfee product upgrades for your environment. Make sure that your servers are running ePolicy Orchestrator 5.1.2 or later.

Endpoint Upgrade Assistant does not change the McAfee ePO environment. It collects and analyzes the data about an environment, then displays the requirements for upgrading endpoints to Endpoint Security.

• Endpoint Upgrade Automation client package — Deploy to managed endpoints. Provides ability to

remove, upgrade, and install supported McAfee products.

Upgrade Automation does change the environment. It removes existing products and installs new versions.

Customers who want to take advantage of Upgrade Automation, but don't use McAfee ePO for deployment purposes, can use the Endpoint Upgrade Assistant Package Creator tool. Download it separately to create custom, deployable product packages for use with McAfee ePO or third-party tools.

Contents

Key features How it works

Key features Endpoint Upgrade Assistant simplifies and automates the tasks required to upgrade McAfee products in McAfee ePO environments. Its features minimize the number of upgrade tasks and ensure product interoperability. It also provides information to assist with upgrading the Windows operating system.

Comprehensive analysis of your environment

Endpoint Upgrade Assistant analyzes the endpoints in your environment to determine the minimum requirements for upgrading. It checks whether other McAfee products are installed and whether they need to be upgraded to maintain compatibility with the products you've selected to upgrade.

The analysis runs automatically in the background when Endpoint Upgrade Assistant is installed, and you can run a new analysis whenever you need one.

Upgrade categories for endpoints

After Endpoint Upgrade Assistant analyzes your environment, it shows you which endpoints are ready to upgrade and which require some additional preparation.

• Upgrade complete — All systems successfully upgraded with selected software.

• Ready to upgrade — Ready to upgrade using Upgrade Automation.

• Requires product upgrades — Running incompatible versions of McAfee products that you need to upgrade

manually before running Upgrade Automation.

• Blocked from upgrading — Can't be upgraded or analyzed by Endpoint Upgrade Assistant. You need to resolve issues (for example, install a supported version of McAfee Agent), then re-analyze your environment.

Streamlined deployment with Upgrade Automation

Upgrade Automation can use a single product deployment task to install or upgrade all selected products on endpoints that are Ready to upgrade. When Upgrade Automation runs on an endpoint, it determines whether it needs to remove a legacy product or upgrade an earlier version of Endpoint Security, then it installs the selected version of Endpoint Security.

To use this feature, select the products and versions you want to install, check in the product package files to the McAfee ePO server, then click Create Deployment Task.

Tagged endpoints for upgrades

Endpoint Upgrade Assistant uses McAfee ePO tags to identify servers and workstations that require specific product upgrades. View these tags in the Tag Catalog under a group called Endpoint Upgrade Assistant Tags.

You can create a single tag for all endpoints eligible for automatic upgrades using Upgrade Automation.

When you create a deployment task in McAfee ePO, select one of the tags you've created with Endpoint Upgrade Assistant. All tagged endpoints are upgraded when the deployment task runs.

Product overview How it works

Deployment with McAfee ePO or third-party tools

Endpoint Upgrade Assistant’s Package Creator Tool provides options for deploying upgrades and a tool for creating custom upgrade installers to be used with deployment packages like SCCM and BigFix .

• Deployment from McAfee ePO — Upgrade endpoints that are ready for Upgrade Automation with a single

deployment task. You can create deployment tasks using Endpoint Upgrade Assistant or McAfee ePO.

• Deployment using third-party tools — Download the Endpoint Upgrade Assistant Package Creator tool to create custom product installers for use with McAfee ePO or third-party deployment tools. You can select the products to include in the installer and other options.

See also Products that you can upgrade on page 10 McAfee product requirements on page 10

How it works Endpoint Upgrade Assistant analyzes your environment, reports the information you need to plan your upgrade strategy, and provides features for deploying upgrades and tracking their status.

Best practice: Deploy upgrades in a test environment or to a test group, then verify the results before deploying

upgrades to the larger environment.

Tabs guide you through all the tasks required to upgrade.

1 Specify what to upgrade — Select the version of Endpoint Security to install and the System Tree groups.

2 Analyze your environment — Discover systems that require upgrades and systems that can't be analyzed.

3 Check in and install the required software — Check it in to the McAfee ePO server to make it available for deployment tasks using the Software Catalog.

4 Tag systems to upgrade — Create one tag for all the systems you want to upgrade with a single

deployment task.

You can tag all the systems that are ready for Upgrade Automation. You can also tag endpoints that require manual upgrades.

5 Deploy and track upgrades — Deploy using Upgrade Automation or manually configure McAfee ePO

deployment tasks.

You can also use Endpoint Upgrade Assistant Package Creator to create installers for third-party tools.

See also Setting up your test environment on page 12

2 Preparing to upgrade

Contents

Preparation checklist Products that you can upgrade McAfee product requirements Setting up your test environment High-level workflow for upgrades How to use Endpoint Upgrade Assistant Planning your deployment options

Preparation checklist To streamline the upgrade process, perform these tasks before upgrading.

• Verify that endpoints can be analyzed — Endpoint Upgrade Assistant analyzes endpoints managed with McAfee Agent. If your environment includes endpoints where McAfee Agent isn't installed or set to Managed mode, Endpoint Upgrade Assistant reports them as Blocked from Upgrading

• Set up a test environment — Select a subset of your System Tree to upgrade as a test.

Upgrading in a test environment allows you to verify that endpoints upgrade as expected, and make changes as needed, before deploying upgrades to all endpoints.

• Disable features that detect and reinstall uninstalled products — If you have set up applications or

processes to detect when programs are uninstalled and reinstall them automatically, be sure to disable this functionality.

Upgrade Automation can uninstall legacy products during the upgrade process. Make sure your endpoint doesn't reinstall them before the tool installs upgraded products.

• Install Endpoint Upgrade Assistant on the McAfee ePO server — Endpoint Upgrade Assistant is a

self-contained McAfee ePO extension that you can download from Software Manager.

Endpoint Upgrade Assistant also checks in the Endpoint Upgrade Automation client package to all branches of McAfee ePO. This lets you deploy from any branch.

• (Optional) Prepare to migrate legacy product settings — To preserve custom settings for legacy products,

you need to migrate those settings on the McAfee ePO server during the upgrade process. To prepare for migration:

• Review your custom policy settings and client tasks, consolidating them where possible. Remove duplicate and unused policies and tasks.

• Install the Endpoint Migration Assistant extension on the McAfee ePO server.

See the McAfee Endpoint Security Migration Guide for more information.

• (Optional) Prepare for deployment with third-party solutions — If you plan to deploy with third-party solutions, download the Endpoint Upgrade Assistant Package Creator tool from Software Manager to a system that has access to the installer packages.

See also Troubleshooting blocked endpoints on page 30 Setting up your test environment on page 12 Using Package Creator to create custom product installers on page 25

Products that you can upgrade

You can use Upgrade Automation to upgrade supported products with a single deployment task.

Product Upgrade Automation action

Upgrades to Endpoint Security

Endpoint Security 10.5.2 or later Upgraded to Endpoint Security 10.5.3 or later ® ®

McAfee VirusScan Enterprise 8.8 and later Replaced with Endpoint Security Threat Prevention ®

McAfee Threat Intelligence Exchange (TIE) for VirusScan Enterprise 1.x and later

Removed

®

McAfee Host Intrusion Prevention (McAfee Host IPS) 8.8 and later

Replaced with Endpoint Security Firewall (Optional)

® ®

McAfee SiteAdvisor Enterprise Replaced with Endpoint Security Web Control (Optional)

None ®

McAfee Endpoint Security Adaptive Threat Protection (ATP) installed (Optional)

Upgrades for other McAfee products

McAfee Agent 4.6 and later Upgraded to version 5.0.2.333 or later ®

McAfee Data Loss Prevention (McAfee DLP) 9.2 and later

Upgraded to selected version (Optional)

®

McAfee Data Exchange Layer (DXL) Client 4.0 and earlier

Upgraded to selected version, or installed if not present (Optional)

®

McAfee Active Response 2.2 or later Upgraded to selected version, or installed if not present (Optional; Requires Endpoint Security Adaptive Threat Protection)

McAfee product requirements

Endpoint Upgrade Automation requires that supported McAfee products are installed on endpoints you plan to upgrade and that all required product upgrade packages are checked in.

Other McAfee products running on endpoints

Upgrade Automation coexists on endpoints with these products, but does not change them:

Product Versions ®

McAfee File and Removable Media Protection (FRP) 4.3.1.153 and later ®

McAfee Drive Encryption 7.1.1 and later ®

McAfee Change Control 6.1.2.440–6.1.3.0, 6.1.3.440–6.1.4.0, or 6.2.0.504 and later

These products prevent Upgrade Automation from running:

Product Versions

VirusScan Enterprise 8.7 and earlier ®

McAfee MOVE AntiVirus ®

McAfee MOVE Firewall

All versions

®

McAfee ePO Deep Command Discovery plugin All versions ® ™

McAfee Deep Defender All versions

Products checked in to McAfee ePO

When you install the Endpoint Upgrade Assistant extension, the Upgrade Automation package is checked in to all McAfee ePO branches: Current, Evaluation, and Previous. This lets you deploy Upgrade Automation from any branch.

Before running Endpoint Upgrade Assistant, you must check in the packages for any of these products that you plan to install or upgrade:

• McAfee Agent 5.0.5 or later

• McAfee DLP 9.3 Patch 6 or later

• Data Exchange Layer Client 4.0 or later

• McAfee Active Response 2.2 or later (Requires Endpoint Security Adaptive Threat Protection)

• Endpoint Security 10.5.2, 10.5.3, 10.5.4, or 10.6

Endpoint Security has these product modules:

• McAfee Endpoint Security Platform (the McAfee Endpoint Security Common module) (Required,

checked in automatically with any other module)

• Threat Prevention (Required)

• Firewall (Optional)

• Web Control (Optional)

• Adaptive Threat Protection (Optional, purchased separately. Requires Threat Prevention.)

All modules except Adaptive Threat Protection are selected to install, by default. You can specify not to install optional modules. Threat Prevention is required (and the Endpoint Security Platform module is silently installed with it).

Check in these products to the same McAfee ePO branch where you plan to deploy Endpoint Upgrade Assistant.

Endpoint Upgrade Assistant installs the products that you have checked in. If you do not select any modules to install or check them in to McAfee ePO, the Upgrade Automation deployment task fails.

See also Requirements for Package Creator on page 26

Setting up your test environment Use a test environment to upgrade a subset of endpoints in preparation for performing a controlled rollout of Endpoint Upgrade Automation package across your environment.

Upgrade Automation ensures that endpoints do not end up in an unsuitable state. However, upgrades for multiple products, groups, and endpoint types involve many components, and you might not always anticipate the results correctly. It's important to test upgrades in test environments or small groups before upgrading your entire environment.

General guidelines

Review these best practices before setting up your test environment.

• Do not include endpoints that are essential to your daily operations in your test environment.

• Select endpoints that reflect the diversity of your environment. For example, include one endpoint from each upgrade step.

• Use the Overview tab to identify suitable endpoints by reviewing the software running on them.

• Use the Prepare tab to ensure that the necessary software packages are available in the correct software branch.

• Use the Deploy & Track tab to identify the deployments performed using Endpoint Upgrade Assistant.

• When selecting a test environment, make sure that you consider the following information to identify

representative endpoints:

• McAfee product combinations and versions

• Operating systems

• Servers and workstations

Best practice: Test on a subset of servers before upgrading your entire server environment.

• Validate the upgrade on servers and workstations.

Some endpoints might require a restart. You need to restart them manually; the Upgrade Automation deployment task doesn't initiate a restart after all upgrades are complete.

High-level workflow for upgrades Follow this workflow to upgrade your environment to Endpoint Security.

Before upgrading, ensure that your environment and the systems you plan to upgrade meet the requirements.

See the McAfee Endpoint Security Installation Guide, McAfee Endpoint Security Migration Guide, and McAfee ePolicy Orchestrator Product Guide for more information about these tasks.

1 Prepare policies as needed.

2 On the Endpoint Upgrade Assistant landing page, analyze your environment.

3 On the Overview tab, view all products that require upgrades and determine which systems are suitable for

immediate, automatic upgrade.

If some systems are blocked from upgrading, you can manually upgrade them with required products, then re-analyze your environment.

4 On the Prepare tab, verify that all required software is available (check in or download).

5 Manually update the content files required for Endpoint Security.

6 Migrate policies, client tasks, and other settings from supported legacy products on the McAfee ePO server. (Required only when migrating legacy product settings.)

7 Configure policies as needed.

8 Deploy or install the client software with default or custom settings.

Endpoint Upgrade Assistant provides multiple options for deploying with McAfee ePO tasks. You can also use Endpoint Upgrade Assistant Package Creator to create custom installers for use with third-party deployment solutions.

Best practice: Restart the endpoints manually after upgrading, taking care to consider the effects of restarts

in server environments. Upgrade Automation doesn't restart endpoints after deployment.

9 Verify that the upgrade completed successfully.

See also Create a deployment task in Endpoint Upgrade Assistant on page 20 Create a deployment task in McAfee ePO on page 21 Create product installers with Package Creator on page 27

How to use Endpoint Upgrade Assistant Endpoint Upgrade Assistant organizes the information you need to analyze, plan, deploy, and track upgrades on three tabs. Follow these guidelines for using the product's features to meet the needs of your environment.

Launching Endpoint Upgrade Assistant

After installing the Endpoint Upgrade Assistant extension, click the product in the Software section of the McAfee ePO main menu.

Analyzing your environment

On the landing page, select these options, then analyze your environment to find out what upgrades are required:

• Version of Endpoint Security to upgrade to.

• Endpoints to analyze — Analyze the entire System Tree or a single group and its subgroups.

You can use the System Tree to select subsets of your environment for analysis, which might reduce the time required to perform the analysis and provides flexibility when planning upgrades. The time required to analyze your selection depends on the size of the McAfee ePO database and the number of endpoints selected.

This option lets you select a subset of your environment for a test environment, so that you can deploy and verify upgrades to non-critical endpoints before upgrading your entire environment.

Endpoint Upgrade Assistant analyzes the McAfee ePO database to determine what endpoint software is in your environment and how that compares to the product versions recommended by McAfee.

Getting a visual overview of your environment

The top of each tab features a pie chart and table that summarize the number of systems in four categories:

• Upgrade complete — Successfully upgraded to Endpoint Security.

• Ready to upgrade — Ready to upgrade to Endpoint Security using Upgrade Automation.

• Require product upgrades — Running incompatible versions of McAfee products that you need to upgrade manually before running Upgrade Automation.

• Blocked from upgrading — Can't be upgraded or analyzed by Endpoint Upgrade Assistant. A checkbox lets you

exclude systems that aren't managed by McAfee Agent from this overview.

Search, sort, filter, and validate Endpoint Upgrade Assistant results by downloading the information for each category in comma-separated values (CSV) format. Use this information for purposes such as debugging, identifying the endpoints required for upgrades, and resolving differences between the reported and expected status of endpoints.

• View Systems — Displays a page listing the corresponding systems that you can export.

• Export System and Product Details — Creates a list of endpoints with their name, path, and type (server or

workstation). Adds the products and versions running on endpoints. This lets you sort by product to create a listing of all endpoints running each version of each product (for example, outdated versions of McAfee Agent).

Getting a detailed overview of your environment

After analysis is complete, use the Overview tab to identify systems that:

• Are ready to upgrade to Endpoint Security automatically.

• Have incompatible software installed — See the steps required to make them compatible for upgrades. You can tag these systems, create deployment tasks to upgrade them, then re-analyze your environment to determine whether they are ready to upgrade automatically.

• Have issues that prevent Endpoint Upgrade Assistant from analyzing or upgrading them — Resolve these

issues, then re-analyze your environment.

The Overview tab provides details about:

• Products and number of endpoints that require upgrades.

• The minimum product versions required for upgrades.

• Technical articles with additional information about the products to be upgraded.

• Current versions of products in your environment and number of endpoints where they are installed.

When McAfee Agent is installed on endpoints that you plan to upgrade, this deployment option is available:

• Do not remove versions of McAfee Agent that are compatible with McAfee Endpoint Security — When this option is selected and a compatible version of McAfee Agent is installed, it won't be upgraded.

Preparing to upgrade

Use the Prepare tab to make sure the required software is available for automatic upgrades.

• Endpoint Upgrade Assistant lists the software packages that you need to check in to Software Manager. It shows what is currently checked in and what needs to be upgraded to meet the product versions recommended by McAfee. Check in all packages to the same branch.

When you installed the Endpoint Upgrade Assistant extension, the Upgrade Automation client package was checked in to all McAfee ePO branches. This lets you deploy Upgrade Automation from any branch.

• After checking in the required software packages, click Refresh to confirm that your server is up to date.

Use the information on this tab to identify:

• Product client packages required for upgrades.

• Product client packages currently checked in — You can view the Current, Evaluation, or Previous branch.

You must check in all packages to the same branch to use Upgrade Automation.

• Product extensions required — If the products you're upgrading require a product extension, install those on the McAfee ePO server manually.

Endpoint Upgrade Assistant checks for the minimum required version for McAfee Agent. It looks for specific versions of Endpoint Security. It lets you select a version of McAfee DLP to install.

Best practice: If you don't want to create a deployment task manually, click Copy Command Line in Endpoint

Upgrade Assistant to copy to the Windows clipboard the command-line options that match your selections on the Overview and Prepare tabs.

Deploying and tracking upgrades in Endpoint Upgrade Assistant

Use the Deploy & Track tab to create deployment tasks for automatic upgrades and verify the status of scheduled deployment tasks.

• Click Create Deployment Task to configure and schedule an automatic upgrade.

• Check the status of deployment tasks you have created — For deployment tasks that are running or

completed, view the status of the upgrade on each endpoint (Install Successful, Failed, or Pending).

See also Best practices for managing upgrade information on page 29 Export system and product information on page 30 Troubleshooting blocked endpoints on page 30

Planning your deployment options Endpoint Upgrade Assistant lets you customize upgrades by specifying options for the upgrade workflow when you create the package file and deployment task. Before upgrading, you should decide which options you want to use.

Specify these options in different ways, depending on your deployment method.

Keeping compatible versions of McAfee Agent

When McAfee Agent version 5.0.2.333 or later is installed on an endpoint where you plan to upgrade Endpoint Security, upgrading McAfee Agent is optional. You can choose not to upgrade McAfee Agent when you create the deployment task.

When you specify this option and a compatible version of McAfee Agent is present on the endpoint, the McAfee Agent installation package isn't downloaded and the McAfee Agent isn't upgraded.

If all the endpoints you plan to upgrade have versions of McAfee Agent that are compatible with Endpoint Security, it is not necessary to check in McAfee Agent to the McAfee ePO branch. However, if an incompatible version of McAfee Agent is installed on any endpoint, the deployment task attempts to download the version of McAfee Agent that is checked in. In these cases:

• If version 5.0.5 or later is checked in — Upgrade Automation upgrades McAfee Agent and installs

Endpoint Security.

• If version 5.0.5 or later is not checked in — Upgrade Automation fails on the endpoints that have an incompatible version of McAfee Agent.

This option is available on the Overview tab in Endpoint Upgrade Assistant or as a command-line option in McAfee ePO. It is also available in Endpoint Upgrade Assistant Package Creator.

Reporting in System Custom Property fields

Endpoint Upgrade Assistant provides the ability to monitor some endpoint events during deployment by using command-line options. This allows you to know when specific events occur and respond to them, if needed. For example, you can check when it's time to restart the endpoint after upgrading McAfee DLP.

Events are reported in one of the four Custom fields that appear on the System Properties tab of the McAfee ePO System Details page.

This option is available as a command-line option in McAfee ePO.

Selecting McAfee SysPrep options

McAfee SysPrep is a standalone tool that adds third-party injectors to the McAfee Trusted Store, which ensures that the injectors work together with Endpoint Security. A version of SysPrep is packaged with Endpoint Upgrade Assistant, but if a later version of SysPrep is available, Upgrade Automation can use it with the current version of Endpoint Upgrade Assistant.

• From McAfee ePO — Check in the updated SysPrep package to the same branch in McAfee ePO as Endpoint Upgrade Assistant. When Upgrade Automation runs on the endpoint, it downloads and runs the updated SysPrep package.

• From Package Creator — Select the new SysPrep package to include in the installer.

When SysPrep returns a failure message, such as Unknown 3rd party DLL injector is found, the default functionality is that Endpoint Upgrade Assistant does not stop running, because not all third-party injections cause an issue with Endpoint Security.

You can choose to stop Endpoint Upgrade Assistant when a third-party DLL injector is found. In this case, Endpoint Upgrade Assistant does not remove VirusScan Enterprise and McAfee Host IPS, to ensure that the endpoint is always protected. This option is available as a command-line option in McAfee ePO. It is also available in Endpoint Upgrade Assistant Package Creator.

Custom Log location

Users can now set a custom log location via command line when using the McAfee ePO deployment page or entering the custom log path when using the EUA Package Creator. If no log location is provided the default will be used.

See also Supported command-line options for upgrades on page 21

Sending telemetry data to McAfee

Endpoint Upgrade Automation now includes a telemetry feature that collects and sends anonymous deployment data to McAfee. This data will be used to improve product robustness and performance in future releases.

This option is available as a command-line option in McAfee ePO. It is also available in Endpoint Upgrade This option is enabled by default. You can disable it by using a command-line option in McAfee ePO, or by selecting System | Send Telemetry to toggle the feature on and off in Package Creator. A checkmark appears when the feature is enabled.

The telemetry feature collects the following anonymous data:

• Product name (EUA)

• Product version

• Iteration number

• List of products installed prior to upgrade

• List of products installed post upgrade

• List of completed upgrade progress milestones

• Command line used for upgrade

• MD5 hash of machine GUID

• Machine locale (LCID)

• Success/failure of deployment

• Return code from Endpoint Upgrade Assistant

See also Supported command-line options for upgrades on page 21

3 Upgrading with McAfee ePO

Contents

Deployment options using McAfee ePO tasks What happens during upgrades Workflow for deploying upgrades with McAfee ePO Create a deployment task in Endpoint Upgrade Assistant Create a deployment task in McAfee ePO

Deployment options using McAfee ePO tasks You can deploy upgrades using Endpoint Upgrade Assistant or standard McAfee ePO deployment methods.

• From Endpoint Upgrade Assistant — Click Create a deployment task on the Deploy & Track tab.

• From McAfee ePO:

• Create a deployment task on the Product Deployment page.

• Create a client task.

What happens during upgrades When you deploy the Upgrade Automation client software to an endpoint, it performs these tasks for the products you've specified to upgrade.

1 Downloads the software packages you've checked in for the products you want to upgrade, then verifies that they're the correct product versions.

2. Verifies that no Windows Updates are pending. If so, EUA will exit until updates are applied.

3 Verifies that no conflicting products exist on the endpoint.

4 Harvests local policies for VirusScan Enterprise and McAfee Host IPS.

5 Removes VirusScan Enterprise, McAfee Host IPS, and Threat Intelligence Exchange (TIE) for VirusScan Enterprise.

6 Upgrades McAfee Agent (if selected) and installs Endpoint Security, which then applies the local policies.

7 Upgrades McAfee Data Loss Prevention to the selected version.

8 Installs or upgrades McAfee Data Exchange Layer Client to the selected version.

9 Installs or upgrades McAfee Active Response Client to the selected version.

10 Sends telemetry data to McAfee when installation is complete.

Workflow for deploying upgrades with McAfee ePO Follow this workflow to upgrade endpoints using McAfee ePO.

Before upgrading, ensure that your environment and the systems you plan to upgrade meet all requirements.

See the McAfee Endpoint Security Installation Guide and McAfee ePolicy Orchestrator Product Guide for more information about these tasks.

1 Prepare policies as needed.

• If you are migrating legacy policies — Review and revise your settings to eliminate unused, outdated, and duplicate settings.

• If you are preconfiguring policies — Create a custom package using Endpoint Security Package Designer. See the McAfee Endpoint Security Installation Guide for instructions.

2 On the Endpoint Upgrade Assistant landing page, analyze your environment.

3 On the Overview tab, view all products that require upgrades and determine which systems are suitable for

immediate upgrade.

If some systems are blocked from upgrading, you can manually upgrade them with required products, then re-analyze your environment.

4 On the Prepare tab, verify that all required software is checked in to McAfee ePO.

5 Manually update your McAfee ePO server with the latest AMCore, Exploit Prevention, and Adaptive Threat

Protection files (if needed) content files required for Endpoint Security.

See the McAfee Endpoint Security Installation Guide for instructions. See the Endpoint Security Common Product Guide for more information about content files.

6 (Required only when migrating legacy product settings.) Migrate policies, client tasks, and other settings

from supported legacy products on the McAfee ePO server.

You need to install the Migration Assistant extension before migrating. See the McAfee Endpoint Security Migration Guide for more information.

7 Configure policies as needed.

8 Create a deployment task, then deploy the client software to endpoints.

Best practice: Restart the endpoints manually after upgrading, taking care to consider the effects of restarts

in server environments. Upgrade Automation doesn't restart endpoints after deployment.

9 Verify that the deployment task completed successfully.

• From Endpoint Upgrade Assistant — Check the Deploy & Track tab for the status of the task and endpoints.

• From McAfee ePO — Check that the client software is installed and up to date on all endpoints.

Create a deployment task in Endpoint Upgrade Assistant Create a McAfee ePO deployment task directly from the Deploy & Track tab. This deploys products using Upgrade Automation.

See the McAfee ePO Product Guide for more information.

Task

1 On the Deploy & Track tab, click Create Deployment Task.

2 On the Create Deployment Task page, specify a name for the task.

The branch and product options that were selected on the Prepare and Overview tabs appear. If you want to change them, cancel this task, select the correct settings on those tabs, then begin this task again.

3 For Policy Migration, select the checkbox to acknowledge that you have either migrated legacy custom policies

and client tasks or understand that McAfee Default policy settings will be enforced. (Required only when migrating legacy product settings.)

4 Specify when to run the deployment task.

The default setting is Run immediately. If you're scheduling it for later, specify a date and time.

5 Select the systems to upgrade.

By default, both workstations and servers are upgraded. You can also select individual systems from a list.

6 Click Create.

7 Verify that the information for the task is correct, then click OK.

Create a deployment task in McAfee ePO When systems are ready to upgrade using Upgrade Automation, you can deploy upgrades with standard McAfee ePO deployment methods.

Task

1 In McAfee ePO:

• On the Product Deployment page in McAfee ePO, create a new deployment task.

• From the Client Task Catalog in McAfee ePO, select a Client Task Type of McAfee Agent | Product Deployment Task, then create a new task.

2 From the Product and Components section, select the Upgrade Automation package that you installed with

Endpoint Upgrade Assistant.

3 From the Tag Catalog, select the Upgrade Automation tag that you created with Endpoint Upgrade Assistant.

4 Specify other options as needed.

Upgrade Automation supports several command-line options.

5 Create the task.

Supported command-line options for upgrades Upgrade Automation supports these command-line options for deployment tasks created in McAfee ePO.

If you don't want to create a deployment task manually, click Copy Command Line in Endpoint Upgrade

Assistant to copy to the Windows clipboard the command-line options that match your selections on the Overview and Prepare tabs.

Option Description

--keepma Do not upgrade versions of McAfee Agent that are compatible with Endpoint Security.

--excludefw Do not deploy Endpoint Security Firewall. The module won't be downloaded and installed.

--excludewc Do not deploy Web Control. The module won't be downloaded and installed.

--upgradedlp=<version> Upgrade McAfee DLP to the specified version if it's present in the selected McAfee ePO branch. Supported versions are: 9.3, 9.4, 10, and 11. If this command-line option is not present, McAfee DLP isn't upgraded.

--installatp Install Adaptive Threat Protection.

--installdxl Install Data Exchange Layer.

--installmar Install the version of Active Response that is checked in to the same branch as Endpoint Upgrade Assistant. If version 2.2 is installed and version 2.3 is checked in, version 2.2 is upgraded to version 2.3.

--tag[=1–4]

where:

1–4 specifies one of four Custom fields

Report endpoint events in a Custom field on the System Properties tab in the McAfee ePO System Details page.

For example, --tag=3 reports endpoint events in the Custom 3 field, and --tag or --tag=1 reports in the Custom 1 field.

--exitondllinjector Stop the Endpoint Security upgrade if McAfee SysPrep returns a failure message.

--ignorebatterylevel Ignore battery charge level if the endpoint is a mobile computer.

--notelemetry Do not collect and send anonymous telemetry data from Endpoint Upgrade Automation.

--retryafterreboot If Endpoint Security fails to install on the first attempt — Do not initiate a restart automatically. Wait until the endpoint restarts, then attempt to install Endpoint Security. If Endpoint Security is manually installed before the endpoint restarts — Detect that the product is installed and cancel the pending installation.

--ignoreensoscheck By default, UA checks if the version of ENS you’re installing is compatible with the target Windows client version. If it’s found to be incompatible, migration will not continue. If this command line is supplied, ENS will be installed on the client regardless of Windows version.

--log For UA deployment using the McAfee ePO Product deployment page, this command line argument will allow you to set a custom log location. For example: “--log=C:\mcafeeEUALOGS” will create the directory C:\mcafeeEUALOGS\” and place its log files there. For the EUA Package creator, a text box is provided for custom log location input.

Supported events for Custom fields

Not all upgrade workflows use all the supported event properties. Endpoint Upgrade Assistant reports these properties:

Property Description

EUA_CLIENT_EXECUTION_STARTED Endpoint upgrade has started.

EUA_REBOOT_REQUIRED ENS_INSTALL_PENDING

Restart the endpoint.

EUA_ENDPOINT_REBOOTED ENS_INSTALLING

• Endpoint has been restarted.

• Endpoint Security is installing.

Property Description

EUA_EXECUTION_COMPLETE • Deployment task is completed.

• Check the status of the deployment task on the Deploy & Track tab.

EUA_EXECUTION_COMPLETE

REBOOT_REQUIRED DLP_UPGRADED

• Deployment task is completed.

• Check the status of the deployment task on the Deploy & Track tab.

• Restart the endpoint to enable McAfee DLP.

These are some general guidelines for using the Custom fields:

• Endpoint Upgrade Assistant doesn't remove or change the value displayed. For example, if you restart an endpoint, the REBOOT_REQUIRED value doesn't change.

• The value in the Custom field isn't updated or removed until it is overwritten by another task on the

endpoint.

• If a Custom field is being used by another application for another purpose, reporting for Endpoint Upgrade Assistant might be affected.

• The --tag option is not related to tagging endpoints for updates in the System Tree.

Compatibility of command-line options

Command-line options are case sensitive. If you enter an invalid or an unrecognized option, the upgrade will not start. EUA will exit without making any system changes

Specifying multiple options can result in conflicting actions. Here's how Endpoint Upgrade Assistant resolves conflicting command-line options:

Options Result

--tag=2 --keepma • Does not upgrade McAfee Agent if it is compatible with Endpoint Security.

• Reports endpoint events in the Custom 2 field on the System Properties tab in the McAfee ePO System Details page.

See also Planning your deployment options on page 15 Using Package Creator to create custom product installers on page 25

4 Upgrading with other solutions

Contents

Using Package Creator to create custom product installers Requirements for Package Creator Workflow for upgrading with third-party tools Download the McAfee Agent frame package file Create product installers with Package Creator

Using Package Creator to create custom product installers Use the Endpoint Upgrade Assistant Package Creator tool to create product installers for deployment with third-party solutions or McAfee ePO.

This custom product installer contains everything needed to upgrade systems to Endpoint Security: the installers for each product you plan to upgrade and the Upgrade Automation client software. Package Creator requires administrator credentials.

Downloading Package Creator

You need to download Package Creator from Software Manager or your McAfee product download site and launch it on a system that has access to the product installers you plan to deploy.

Locating the installers

You must download all the installers for the products you plan to upgrade on the system where you run Package Creator. It uses these product installers to create the final upgrade installer. Package Creator generates a single upgrade installer, which contains the product installer for each product you plan to upgrade and the Upgrade Automation client software.

Products to upgrade

Package Creator lets you select the same product upgrade options that are available when creating deployment tasks with Endpoint Upgrade Assistant and McAfee ePO. For example, select Endpoint Security modules to install and existing McAfee products to upgrade or remove.

Product deployment method

The way you plan to deploy upgrades determines the type of product installer that Package Creator creates:

• A package for use with McAfee ePO — Check in this file to the McAfee ePO server. Package Creator validates the package while creating it.

Best practice: Check and increase the package size limit in McAfee ePO before uploading large packages. See KB90036 for further information

This package can deploy all individual product installers with one deployment task and ensures that no additional downloads are required when upgrading to Endpoint Security. Because it contains the installer for McAfee Agent, you can move endpoints from one McAfee ePO server to another during upgrades.

Best practice: Use Package Creator to create a deployment package when you plan to move endpoints to a

new McAfee ePO server during the upgrade.

• An application for use with third-party deployment solutions — Check in this file to the repository for your third-party tool. This is a self-extracting .exe file that extracts the installers, then runs Upgrade Automation to automatically upgrade endpoints with the selected options.

See also Create product installers with Package Creator on page 27 Planning your deployment options on page 15 Supported command-line options for upgrades on page 21 Increase package size limit in McAfee ePO on page 35

Requirements for Package Creator If you plan to use Package Creator to create installers for deployment with McAfee ePO, you must install required Microsoft libraries on the system where you run Package Creator.

• .NET 4.5 framework

Package Creator requires SYSTEM permissions to deploy. Minimum desktop resolution for the Package Creator is 1280x720

Workflow for upgrading with third-party tools Follow this workflow to upgrade endpoints using third-party deployment solutions.

You must have administrator credentials to use Endpoint Upgrade Assistant Package Creator. Before upgrading, ensure that your environment and the systems you plan to upgrade meet the requirements.

See the McAfee Endpoint Security Installation Guide and McAfee ePolicy Orchestrator Product Guide for more information about these tasks.

1 Download Package Creator from Software Manager.

2 Prepare policies as needed.

• If you are migrating legacy policies — Review and revise your settings to eliminate unused, outdated, and duplicate settings.

• If you are preconfiguring policies — Create a custom package using Package Creator. See the McAfee

Endpoint Security Installation Guide for instructions.

3 On the Endpoint Upgrade Assistant landing page, analyze your environment.

Upgrading with other solutions Download the McAfee Agent frame package file

4 On the Overview tab, view all products that require upgrades and determine which systems are suitable for immediate upgrade.

5 Download the installers for products you plan to upgrade.

• Download the McAfee Agent (version 5.0.5 or later) frame file from your target McAfee ePO server. The file is named FramePkg.exe. Files named SmartInstaller.exe or Frminst.exe don't work.

• Download each of the products that you plan to install. They are available as a .zip file from Software

Manager or the McAfee product download page: https://secure.mcafee.com/apps/downloads/ my-products/login.aspx?region=us. A grant number and email address is required to download the Endpoint Security bundle.

6 Manually update your McAfee ePO server with the latest AMCore, Exploit Prevention, and Adaptive Threat

Protection files (if needed) content files required for Endpoint Security. See the McAfee Endpoint Security Installation Guide for instructions. See the Endpoint Security Common Product Guide for more information about content files.

7 (Required only when migrating legacy product settings.) Migrate policies, client tasks, and other settings

from supported legacy products on the McAfee ePO server. You need to install the Migration Assistant extension before migrating. See the McAfee Endpoint Security Migration Guide for more information.

8 Configure policies as needed.

9 Run Package Creator and create an executable product installer for third-party deployment.

10 Check in the product installer to the repository for your third-party tools, then deploy to endpoints. NOTE: SYSTEM Permissions are required for the package to execute.

Best practice: Restart the endpoints manually after upgrading, taking care to consider the effects of restarts

in server environments. Upgrade Automation doesn't restart endpoints after deployment.

Download the McAfee Agent frame package file Package Creator needs a compatible installer for McAfee Agent, to include in the custom installer that it generates. You need to download this installer, called a frame package, from your target McAfee ePO server. The correct file is named FramePkg.exe. Files named SmartInstaller.exe or Frminst.exe don't work.

Task

1 In McAfee ePO, click System Tree | New Systems.

2 For How to add systems, select Create and download agent installation package.

3 For version, select Windows and 5.0.5 or later.

4 Click OK to download a valid McAfee Agent installer from your McAfee ePO server. Create product installers with Package Creator

Use Package Creator to create a single package or installation file that contains all the individual product installers required for upgrades. Then deploy the file with third-party solutions or McAfee ePO.

Before you begin You must have administrator credentials to use Package Creator. Before upgrading, ensure that your environment and the systems you plan to upgrade meet the requirements.

Task

1 Download Package Creator if you haven't already done so, then install it on an endpoint that has access to the product installers you want to deploy.

Download the software from Software Manager or your McAfee product download site.

2 In Package Creator, specify the locations of the installers for Endpoint Security and McAfee Agent.

The installer for McAfee Agent is called a frame package (FramePkg.exe).

3 Select optional components to install.

Threat Prevention is required, and Endpoint Security Platform (the Common module) is installed automatically with it. Other modules and products are optional.

4 Select whether to upgrade versions of McAfee Agent that are compatible with Endpoint Security.

5 Select the type of product installer to create:

• A package .zip file to deploy with McAfee ePO.

• An executable application to install with third-party tools.

6 Verify that you've specified the correct information, then click Create.

5 Best practices and troubleshooting

Contents

Best practices for managing upgrade information Troubleshooting blocked endpoints Troubleshooting installation and uninstallation issues Troubleshooting issues with Endpoint Upgrade Assistant Troubleshoot issues with Upgrade Automation Troubleshooting issues related to Package Creator Reporting an issue to McAfee Support

Best practices for managing upgrade information Endpoint Upgrade Assistant uses several McAfee ePO features that assist you with planning and implementing your upgrade strategy.

Using queries and reports

Each time it analyzes an environment, Endpoint Upgrade Assistant creates a query that you can view in McAfee ePO under Queries & Reporting. Use these queries to create reports containing the information you need to plan and track your upgrades, then save them in PDF format.

Endpoint Upgrade Assistant queries display results from the last System Tree or group you analyzed. Data from previous analyses is overwritten.

Exporting system details

System administrators can search, sort, filter, and validate Endpoint Upgrade Assistant results by downloading the information for a selected category in comma-separated values (CSV) format. Use this information for purposes such as debugging, identifying the endpoints required for upgrades, and resolving differences between the reported and expected status of endpoints.

• Export Systems — Creates a list of endpoints with their name, path, and type (server or workstation).

• Export System and Product Details — Adds the products and versions running on endpoints. This lets you sort by

product to create a listing of all endpoints running each version of each product (for example, outdated versions of McAfee Agent).

• View Systems — Displays a page listing the corresponding systems that you can export.

Tag management

Endpoint Upgrade Assistant creates McAfee ePO tags to label endpoints in the McAfee ePO database. Use them to tag endpoints that require the same upgrade steps, even if the endpoints are in different System Tree groups.

When you tag a group of endpoints in Endpoint Upgrade Assistant, the tag appears in the Tag Catalog in the Endpoint Upgrade Assistant Tags group. This lets you create deployment tasks that deploy upgrades to these tagged endpoints.

To deploy to a subset of tagged endpoints, use one of these methods:

• In Endpoint Upgrade Assistant — From the landing page, select a System Tree group to analyze. Endpoint

Upgrade Assistant analyzes only endpoints in that group. When you create a tag, it includes only endpoints located in the selected group.

• In McAfee ePO — Create a new tag, then copy endpoints with Endpoint Upgrade Assistant tags into the new

tag. See the McAfee ePolicy Orchestrator Product Guide for more information.

Export system and product information Search, sort, filter, and validate results from Endpoint Upgrade Assistant by downloading the information for a selected category in comma-separated values (CSV) format. Send this information to McAfee support when reporting an issue with Endpoint Upgrade Assistant, or use it to troubleshoot issues, identify the endpoints required for upgrades, and resolve differences between the reported and expected status of endpoints.

Task

1 From the Overview tab, in the Environment Overview table, click Export System and Product Details.

2 Import this data into Microsoft Excel, then sort and filter as needed to identify the endpoints outside your expected groupings.

Troubleshooting blocked endpoints

Endpoints that the Endpoint Upgrade Assistant can't analyze are listed on the Overview tab in a table called Blocked from Upgrading. Blocked endpoints do not appear on the Upgrade tab.

• Incompatible systems — These endpoints cannot be upgraded due to hardware, memory, or operating system limitations. Endpoints might fall into more than one category. For more information see KB82761.

• Currently excluded systems — These endpoints have McAfee products installed that are not yet supported by

the Endpoint Upgrade Assistant. Note that the list of supported products is updated with new products regularly.

• Unmanaged systems — These endpoints can't be detected due to problems with McAfee Agent.

McAfee ePO locates endpoints by querying Active Directory. It uses McAfee Agent to detect the McAfee products installed. It can't detect what is installed when:

• McAfee Agent is not installed.

• An unsupported version of McAfee Agent is installed.

• McAfee Agent is not set to Managed mode.

To correct the problem, install a supported version of McAfee Agent or make sure that Managed mode is enabled, then click Re-analyze Environment for an updated listing of the products installed in your environment.

Refresh the McAfee ePO database You can often resolve a blocked status by sending endpoints an agent wake-up call that asks for full properties. To analyze the products installed on endpoints, the Endpoint Upgrade Assistant queries the McAfee ePO database. When the version information for McAfee products on one or more endpoints is not correctly captured in the database, those endpoints are blocked from upgrades. In some cases, endpoints might report blank or incorrectly formatted version information.

You can refresh the database to ensure that all products installed on the endpoints in your environment are reported correctly in the McAfee ePO database.

Task

1 From the Overview tab, select Export System and Product Details to export details about these endpoints in CSV format.

Use this information to identify and resolve issues with each endpoint.

2 Create a McAfee ePO task to update the client properties for these specific endpoints.

This refreshes the information in the McAfee ePO database. See the McAfee ePolicy Orchestrator Product Guide for more information.

Troubleshooting installation and uninstallation issues Use this information to resolve issues that occur when attempting to install the Endpoint Upgrade Assistant or to uninstall McAfee products during an upgrade.

• Installation fails because Software Manager is busy — In rare circumstances, installation fails if the

Software Manager is actively checking in the required software packages when installation begins. If this happens, wait until the packages are checked in, then begin installation again. Alternatively, you can stop the task that is updating the Software Manager.

• The Endpoint Upgrade Assistant fails to install because files were left behind by a partial installation

— If you tried and failed to install the Endpoint Upgrade Assistant, some files might have been left behind that prevent you from installing the product again. Remove these files before attempting to install again.

Remove files after a failed installation If the Endpoint Upgrade Assistant fails to completely install, you need to manually remove any parts of the extension that were installed before attempting to install again.

Before you begin

Examine the Orion logs to determine why the installation failed. If McAfee ePO is installed in the default location, the logs are located under C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Logs.

Task

1 Remove the extension xml from C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server \conf\Catalina\localhost\UpgradeAssistant.XML.

2 Remove the extension directory from C:\Program Files (x86)\McAfee\ePolicy Orchestrator

\Server\extensions\installed\EndpointUpgradeAssistant.

3 Remove the OrionExtensions entry from the McAfee ePO database table.

Run the following SQL query:

DELETE FROM dbo.OrionExtensions WHERE Name = 'EndpointUpgradeAssistant'

4 (Optional) Restart the server only if you can't execute the first two steps (for example, if the files are locked).

Troubleshooting issues with Endpoint Upgrade Assistant Use this information to resolve issues related to analyzing and reporting data and performance.

• Analysis inconsistencies — Inconsistent version numbers that appear in the tables are not a reporting error; they refer to data entries in the database. You might need to refresh the McAfee ePO database.

• Mismatched queries — Upgrade Automation might categorize endpoints differently from the manual

upgrade process. Upgrade Automation follows specific query criteria, and the sets of categories can be exported.

When the number of endpoints reported by Endpoint Upgrade Assistant doesn't match the number you expect (for example, the number of workstations, servers, or upgrade steps), use the export function to download a list of endpoints and their details in CSV format.

• Missing packages — The Prepare tab highlights missing software packages that are required for upgrading.

After missing packages are checked in, click Re-Analyze Environment to refresh the page so you can see the updates.

• Performance issues — The time required to analyze your environment depends on the size of the McAfee

ePO database, which depends on the size of your managed environment. Larger environments take longer to analyze. You can use the drop-down list to select a System Tree group (a subset of endpoints) to reduce the number of endpoints to analyze.

• Outdated queries and reports — If outdated information appears in reports, click Re-analyze Environment to

refresh the queries and regenerate the report.

See also Troubleshooting blocked endpoints on page 30 Refresh the McAfee ePO database on page 30 Export system and product information on page 30

Troubleshoot issues with Upgrade Automation Use these steps to prevent or troubleshoot problems related to Upgrade Automation.

Best practice: Examine the Upgrade Automation logs to help determine the problem area. Upgrade Automation

updates its logs for each step of the troubleshooting process. Logs are saved at the location %windir%\Temp \McAfeeLogs\EndpointUpgradeAutomation.log.

You can use these steps:

• In a test environment to ensure Upgrade Automation works correctly.

• When an Upgrade Automation task fails in your production environment.

Task

1 On endpoints, monitor progress in the Agent Monitor, where details about the actions performed by client deployment tasks are logged.

2 Verify that the Endpoint Upgrade Assistant package downloaded McAfee Agent and Endpoint Security. See

the table below for more information.

If McAfee Agent 4.x was installed on the endpoint before upgrading, then FOLDER PATH is C:\ProgramData \McAfee\Common Framework\[Current|Previous|Evaluation]

If McAfee Agent 5.x was installed on the endpoint before upgrading, then FOLDER PATH is C:\ProgramData \McAfee\Agent\[Current|Previous|Evaluation]

These folders indicate that the download was successful Product

<FOLDER PATH>\ENDP_AM_1050 Endpoint Security 10.5

<FOLDER PATH>\ENDP_AM_1060

<FOLDER PATH>\ENDP_FW_1050

<FOLDER PATH>\ENDP_FW_1060

<FOLDER PATH>\ENDP_GS_1050

<FOLDER PATH>\ENDP_GS_1060

<FOLDER PATH>\ENDP_WP_1050

<FOLDER PATH>\ENDP_WP_1060

<FOLDER PATH>\EPOAGENT3000 McAfee Agent 5.0.5 or later

<FOLDER PATH>\EUA_AUTO1000 Endpoint Upgrade Automation package (contains three .exe and two script files)

Potential remediation step: Make sure the correct versions of McAfee Agent (version 5.0.5 or later) and Endpoint Security (version 10.5.x) are checked in to the same branch in McAfee ePO that the Endpoint Upgrade Automation package was deployed from (for example, Current, Previous, or Evaluation).

3 Verify that there aren't any conflicting products on the endpoint that could stop the Endpoint Upgrade Automation package from running. Check the logs for this information:

Log entry Indicates

All steps completed successfully for product: ENS_HW_Requirements Success

All steps completed successfully for product: ripper_conflict Success

All steps completed successfully for product: ENS_RegistryConflicts Success

All steps completed successfully for product: ENS_MSIConflicts Success

OneBuild progress set to: COPY_FILES_COMPLETE Success

All steps completed successfully for product: ENS1050_Conflicts Success

All steps completed successfully for product: ENSSuccess Success

Potential remediation step: Remove conflicting products and redeploy the Endpoint Upgrade Automation package to the endpoint.

4 Verify that VirusScan Enterprise and Host Intrusion Prevention policies were copied successfully on the

endpoint.

Log entry Indicates

Step preserve_policy completed successfully for product: VSE 8.8 Success

Step preserve_policy failed for product: VSE 8.8 Failure

Step preserve_policy completed successfully for product: HIPS 8.0 Success

Step preserve_policy failed for product: HIPS 8.0 Failure

Potential remediation step: If an error occurs while copying policies, it does not stop the installation. After Endpoint Security is installed on the endpoint, it pulls the latest policies from McAfee ePO.

5 Verify that McAfee Agent upgraded successfully.

Log entry Indicates

FramePkg.exe -- SUCCESS Success

FramePkg.exe -- FAIL Failure

Potential remediation step: Contact McAfee Support if the upgrade stops.

6 Verify that Endpoint Security installed successfully.

Log entry Indicates

setupCC.exe succeeded Success

setupCC.exe --FAIL Failure

setupTP.exe succeeded Success

setupTP.exe --FAIL Failure

Potential remediation step: Contact McAfee Support if the installation stops.

7 Verify that Upgrade Automation finished successfully.

Log entry Indicates

All steps completed successfully for product: ENSSuccess Success

OneBuild exit code is 0 Success Troubleshooting issues related to Package Creator

Examine the log files to prevent or troubleshoot problems related to using Package Creator and custom product installers.

Package Creator log files

When you use Package Creator to create a product installer, Package Creator logs events at this location on the local system:

%windir%\Temp\McAfeeLogs\EndpointUpgradeAutomation.log

Product installer log files

The product installer is the deployment package created by Package Creator. When the product installer runs, it uses the same product removal and installer logic that Upgrade Automation uses, and it creates log files with a similar signature to Upgrade Automation.

The product installer logs events related using the product installer at this location on local systems:

%windir%\Temp\McAfeeLogs\EndpointUpgradeAutomation.log Note: With EUA 2.2 A customer specific location for the EUA logs can be specified.

If you deploy to the same system where you used Package Creator to create the product installer, the product installer appends data to the log file created by Package Creator.

Increase package size limit in McAfee ePO Most McAfee ePO servers have a maximum size limit for packages of 250 MB. If the product installer you've created in Package Creator is larger than 250 MB, you need to increase the limit before checking in the package to the McAfee ePO server.

To increase this limit, change the value specified in a McAfee ePO properties file. See the McAfee ePolicy Orchestrator Product Guide for more information.

Task

1 In Notepad or another editor, open C:\Program Files (x86)\McAfee\ePolicy Orchestrator \Server\conf\epo\epo.properties.

2 Increase the value specified for file.upload.limit to 400.

For example, change file.upload.limit = 250 to file.upload.limit = 400.

3 Save the file, then restart the McAfee ePO server.

Reporting an issue to McAfee Support To expedite assistance, include all the required information when reporting an issue to McAfee Support.

Endpoint Upgrade Assistant issues

Provide this information when reporting an issue:

• Brief description of the issue — If possible, provide the steps required to reproduce the issue.

• Screenshots

• Logs from the time when the issue occurred

McAfee ePO server logs, also called Orion logs, can be found in the log directory (for example, McAfee \ePolicy Orchestrator\Server\Logs). If McAfee ePO is installed in the default location, the logs are located under C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Logs.

• Version numbers for these components:

• McAfee ePO

• Endpoint Upgrade Assistant extension

• Approximate number of endpoints running in your environment.

• If relevant, include an export of the endpoint details.

Upgrade Automation issues

Provide this information when reporting an issue:

1 MER data — Before submitting an issue, open the Minimum Escalation Requirements (MER) tool and follow the instructions provided in KB59385 to collect product data for analysis.

2 Brief description of the issue

3 Screenshots

See also Export system and product information on page 30

0-00